2. Explanation

Today I will show you a method to bruteforce the ASLR. This method is very usefull because it can bypass NX and ASLR protections together! But this method is only available in a x86 or less architecture because of the addresses lenght. The step is very similar as a Ret2libc attack but in our case we will take a LibC base reference address and loop the binary execution while the ASLR isn’t set to our LibC reference’s address.

Well, it’s a Ret2libc as we’ve seen in the previous article. The particularity is that we don’t know any of the addresses we needed. So we first need to know the LibC address’s to deduct the addresses we needed.

If we check the library addresses we can see something very interesting:

It’s OK for the addresses offsets. Now we need a string for the first system function argument.
To remind:

intsystem(constchar*command);

We will use a little trick to do this. We will use a string from the binary section where the addresses don’t change (like rodata section). The string need to end with a null byte. (‘\0’) I’m habits to use a common binary string in the dynstr section:

You can see at line 378 that our buffer is at 0x48 bytes from the base pointer. So we just need to add four bytes to this value to also erase ebp value. A little “echo” tricks to convert value from a base to another: